On April 22 – right in the middle of “Cyber Week” in the U.S. House of Representatives – Steve Grobman, Intel Fellow and Intel Security’s CTO, will testify before the House Committee on Small Business to discuss how, from Intel’s perspective, small businesses can best protect themselves from cyber attacks. Steve’s testimony focuses on the escalating threat landscape, including the particular risks to small business, the role best practices and education can play in helping small businesses protect themselves, and how industry can deliver innovative solutions to help protect small business.
Steve also points out that many highly sophisticated and well-resourced attackers are increasingly turning their attention to small businesses as a means to create revenue from a large number of what they perceive as less-protected targets, or as an attack conduit to breach larger business or government targets rich in high-value data or other assets. This trend highlights how cybersecurity threats to small businesses can have a much greater impact beyond the small businesses themselves, which is why Steve recommends that large and small enterprises need to analyze both the threats to themselves as well as their connected ecosystem partners.
Of course, broader impacts are not the sole reason to harden small businesses against cyber attacks: many are at the forefront of innovation themselves and have valuable intellectual property to guard from cyber thieves. And while they generally don’t have the same sophisticated cybersecurity infrastructure as many large businesses, it would be a mistake to think small businesses are not technologically savvy – far from. In fact, small businesses are making use of innovative technologies such as mobility, cloud and IOT as business enablers, although ironically, these same innovative technologies can create a security gap if not properly managed.
So what’s the answer? Steve tells the Committee that protecting small businesses from cyber attack is not so much a matter of inventing new technology as it is educating them about a holistic risk management approach that he refers to as “protect, detect, correct.” Education about the advantages of deploying integrated solutions – something that we call Security Connected – is another recommendation. Even if a small business owner doesn’t have the resources to invest in a wide array of connected security tools, she can get access to the benefits of these technologies via cloud-based solutions or Software as a Service offerings from Intel Security or other vendors.
Steve also advises using the Framework for Improving Critical Infrastructure Cybersecurity (we just call it the Framework), an industry-government initiative emerging from President Obama’s 2013 executive order on cybersecurity that Intel helped develop and has participated in extensively. Grounded in consensus best practices and international standards, the Framework is a flexible risk management tool to improve cybersecurity. Even if a small business uses only part of it, there is still much to be gained from the Framework as a key educational reference tool to help small businesses understand how to better prioritize and manage risks. We at Intel learned this firsthand when we tested the Framework across our Office and Enterprise infrastructure and wrote a paper about our key learnings (you can read it here).
One big benefit of our Framework implementation was that it helped us develop a a common language to describe and discuss cybersecurity risks across our large organization. Seems simple, but having terms that everyone from the CEO to the IT staff understands in the same way is critical to getting a handle on an organization’s risk profile. In fact, our use of the Framework demonstrated such benefit that we figured if it can help a large mature organization such as Intel, it could help smaller organizations too. So we took the initiative to link the Framework to our Supplier Guidelines, in an effort to make sure our ecosystem of suppliers, including many small businesses, are using sound risk management-based security practices focused on not only protecting, but other important risk management functions such as detecting, response and recovery. Intel encourages other organizations to follow the path we forged by developing their own Framework use cases and driving adoption of the Framework across their ecosystems.
This is just a sampling of the suggestions Steve made on behalf of Intel. He also had some advice for policymakers: namely, security mandates on small business won’t work, and while cybersecurity is a shared responsibility, the private sector should continue to lead. When Steve’s testimony is available we’ll make sure we post it. Then again, you might want to participate in House Cyber Week by attending the hearing yourself – either in person or virtually (you can access details on how to do that here). I’ll be blogging more about cybersecurity policy issues, so stay tuned. And enjoy Cyber Week!
– John Miller, Director, Cybersecurity Policy and Federal Government Relations